Key distribution method

Description

[0001] The invention relates to a method of distributing a key for enciphering an unenciphered or plain text message and for deciphering the enciphered message.

[0002] A public key distribution method used in a public key cryptosystem as a well-known key distribution method is disclosed in a paper entitled "New Directions in Cryptography" by W. Diffie and M.E. Hellman, published in the IEEE Transactions on Information Theory, Vol. IT-22, No. 6, pp. 644 to 654, November issue, 1976. The key distribution method disclosed in the paper memorizes public information for each of conversers. In the system, before a converser A sends an enciphered message to a converser B, the converser A prepares an enciphering key (which represents a number obtained by calculating


generated from public information Y_B of the converser B and secret information X_A which is kept secret by the converser A. The number p is a large prime number of about 256 bits in binary representation, which is publicly known. a (mod b) means a remainder of division of the number a by the number b. The converser B also prepares the key wk in accordance to


in a similar manner. Y_A and Y_B are selected so as to be equal to


respectively. As a result,


It is known that even if Y_A, a and p are known, it is infeasible for anybody except the converser A to obtain X_A which satisfies

[0003] In the paper "On Seeking Smart Public-Key-Distribution Systems" by T. Matsumoto in "The Transactions of the IECE of Japan", Volume E69, No. 2, February 1986, pages 99 to 105, further public key distributions systems in addition to the above described method are explained. Each of these systems uses a great number of pieces of public information (Yi) corresponding to respective users (i). Since these pieces of public information used in the systems are generated irrespective of the names or the addresses of the users, it is impossible for each user to commit all the other users' pieces of public information to memory. Therefore, each of the disclosed systems must store the pieces of public information in a public file.

[0004] The prior art key distribution system of the type described, however, has disadvantages in that since the system needs a large amount of public information corresponding to respective conversers, the amount of the public information increases as the number of conversers increases. Further, strict control of such information becomes necessary to prevent the information from being tampered with.

[0005] An object of the invention is, therefore, to provide a key distribution method free from the above-mentioned disadvantages of the prior art system.

[0006] This object is achieved by a method comprising the features of claims 1 and 2, respectively.

[0007] Other features and advantages of the invention will become more apparent from the following detailed description when taken in conjunction with the accompanying drawings in which:

FIG. 1 is a block diagram of a first embodiment of the invention;

FIG. 2 is a block diagram of a second embodiment of the invention; and

FIG. 3 is a block diagram of an example of systems 101, 102, 201 and 202.

[0008] In the drawings, the same reference numerals represent the same structural elements.

[0009] Referring now to FIG. 1, a first embodiment of the invention comprises a first system 101, a second system 102 and an insecure communication channel 103 such as a telephone line which transmits communication signals between the systems 101 and 102. It is assumed herein that the systems 101 and 102 are used by users or conversers A and B, respectively. The user A has or knows a secret integer number S_A and public integer numbers e, c, α and n which are not necessarily secret while the user B has or knows a secret integer number S_B and the public integer numbers. These integer numbers are designated and distributed in advance by a reliable person or organization. The method to designate the integer numbers will be described later.

[0010] An operation of the embodiment will next be described on a case in which the user A starts communication. The system 101 of the user A generates a random number γ (Step A1 in FIG. 1) and sends a first key distribution code X_A representative of a number obtained by computing S_A · α^γ (mod n) (Step A2) to the system 102 of the user B (step A3). Next, when the system 102 receives the code X_A (Step B1), it generates a random number t (Step B2), calculates (X_A^e/ID_A)^t (mod n) (Step B5), and keeps the resulting number as an enciphering key wk for enciphering a message into storage means (not shown). The identification code ID_A represents herein a number obtained by considering as a numeric value a code obtained by encoding the address, the name and so on of the user A. The encoding is, for instance, performed on the basis of the American National Standard Code for Information Interchange. Then, the system 102 transmits to the system 101 of the user A a second key distribution code X_B representative of a number obtained by calculating S_B · α^t (mod n) (Steps B3 and B4).

[0011] The system 101, on the other hand, receives the code X_B (Step A4), calculates (X_B^e/ID_B)^γ (mod n) (Step A5), and keeps the resulting number as the key wk for enciphering a message. The identification code ID_B represents the numbers obtained by considering as a numeric value a code obtained by encoding the name, address, and so on of the user B.

[0012] Subsequently, communication between the users A and B will be conducted by transmitting messages enciphered with the enciphering key wk via the channel 103.

[0013] The integer numbers S_A, S_B, e, c, α and n are determined as follows. n is assumed to be a product of two sufficiently large prime numbers p and q. For instance, p and q may be 2²⁵⁶ or so. e and c are prime numbers which are equal to or less than n, while α is a positive integer number which is equal to or less than n. Further, d is defined as an integer number which satisfies e.d

S_A and S_B are defined as numbers obtainable from ID_A^d (mod n) and ID_B^d (mod n), respectively.

[0014] If S_A, S_B, e, c, α, and n are defined as above, ID_A and ID_B become equal to S_A^e(mod n) and S_B^e(mod n), respectively. This can be proved from a paper entitled "A Method for Obtaining Digital Signatures and Publick-Key Cryptosystems" by R.L. Rivest et al., published in the Communication of the ACM, Vol. 21, No. 2, pp. 120 to 126. Since the key obtained by (X_B^e/ID_B)^r (mod n) on the side of the user A becomes equal to α^ert (mod n) and the key obtained by (X_A^e/ID_A)^t (mod n) on the side of the user B becomes equal to α^ert (mod n), they can prepare the same enciphering key. Even if a third party tries to assume the identity of the user A, he cannot prepare the key wk since he cannot find out z which meets

[0015] Referring now to FIG. 2, a second embodiment of the invention comprises a first system 201, a second system 202 and an insecure communication channel 203. It is assumed herein that the systems 201 and 202 are used by users A and B, respectively. The user A has or knows a secret integer number S_A and public integer numbers e, c, α, and n, which are not necessarily secret while the user B has or knows a secret integer number S_B and the public integer numbers. These integer numbers are designated and distributed by a reliable person or organization in advance. The method to designate the integer numbers will be described later.

[0016] An operation of the embodiment will next be described on a case where the user A starts communication. The system 201 of the user A generates a random number γ (Step AA1 in FIG. 2) and determines a first key distribution code X_A representative of a number obtained by computing α^e.r (mod n) as well as a first identification code Y_A indicative of a number obtained by computing S_A · α^c.r (mod n) (AA2). The system 201 then transmits a first pair of X_A and Y_A to the system 202 of the user B (Step AA3). Thereafter, the system 202 receives the first pair (X_A, Y_A) (Step BB1), calculates Y_A^e/X_A^c (mod n), and examines whether or not the number obtained by the calculation is identical to the number indicated by an identification code ID_A obtained by the address, the name and so on of the user A in a similar manner to in the first embodiment (Step BB2). If they are not identical to each other, the system suspends processing of the key distribution (Step BB7). On the other hand, if they are identical to each other, the system 202 generates a random number t (Step BB3) and determines a second key distribution code X_B representative of a number obtained by calculating α^e.t (mod n) and a second identification code Y_B obtained by calculating S_B · α^c.t (mod n) (Step BB4). The system 202 then transmits a second pair of X_B and Y_B to the system 201 of the user A (Step BB5). The system 202 calculates X_A^t (mod n) and keeps the number thus obtained as a enciphering key wk (Step BB6).

[0017] The system 201, on the other hand, receives the second pair (X_B, Y_B) (Step AA4), calculates Y_B^e/X_B^c (mod n), and examines whether or not the number thus obtained is identical to the number indicated by an identification code ID_B obtained by the address, the name and so on of the user B in a similar manner to in the first embodiment (Step AA5). If they are not identical to each other, the system suspends the key distribution processing (Step AA7). If they are identical to each other, the system 201 calculates X_B^r (mod n), and stores the number thus obtained as a enciphering key wk (Step AA6). Although the codes ID_A and ID_B are widely known, they may be informed by the user A to the user B.

[0018] The integer numbers S_A, S_B, e, c, α and n are determined in the same manner as in the first embodiment. As a result,


respectively. If we presuppose that the above-mentioned reliable person or organization who prepared S_A and S_B do not act illegally, since S_A is possessed only by the user A while S_B is possessed only by the user B, the first pair (x_A, y_A) which satisfies

can be prepared only by the user A while the second pair (x_B, y_B) which satisfies

can be prepared only by the user B. It is impossible to find out a number x which satisfies

on the basis of f, b and n since finding out X is equivalent to breaking the RSA public key cryptogram system disclosed in the above-mentioned Communication of the ACM. It is described in the above-referenced IEEE Transactions on Information Theory that the key wk cannot be calculated from the codes x_A or x_B and n. The key distribution may be implemented similarly by making the integer number C variable and sending it from a user to another.

[0019] An example of the systems 101, 102, 201 and 202 to be used in the first and second embodiments will next be described referring to FIG. 3.

[0020] Referring now to FIG. 3, a system comprises a terminal unit (TMU) 301 such as a personal computer equipped with communication processing functions, a read only memory unit (ROM) 302, a random access memory unit (RAM) 303, a random number generator (RNG) 304, a signal processor (SP) 306, and a common bus 305 which interconnects the TMU 301, the ROM 302, the RAM 303, the RNG 304 and the SP 306.

[0021] The RNG 304 may be a key source 25 disclosed in U.S. Patent No. 4,200,700. The SP 306 may be a processor available from CYLINK Corporation under the trade name CY 1024 KEY MANAGEMENT PROCESSOR.

[0022] The RNG 304 generates random numbers r or t by a command given from the SP 306. The ROM 302 stores the public integer numbers e, c, α, n and the secret integer number S_A (if the ROM 302 is used in the system 101 or 201) or the secret integer number S_B (if the ROM 302 is used in the system 102 or 202). The numbers S_A and S_B may be stored in the RAM 303 from the TMU 301 everytime users communicates. According to a program stored in the ROM 302, the SP 306 executes the above-mentioned steps A2, A5, AA2, AA5, AA6 and AA7 (if the SP 306 is used in the system 101 or 201), or the steps B3, B5, BB2, BB4, BB6 and BB7 (if the SP 306 is used in the system 102 or 202). The RAM 303 is used to temporarily store calculation results in these steps.

[0023] Each of the systems 101, 102, 201 and 202 may be a data processing unit such as a general purpose computer and an IC (integrated circuit) card.

[0024] As described in detail hereinabove, this invention enables users to effectively implement key distribution simply with a secret piece of information and several public pieces of information.

Claims

1. A key distribution method comprising the following steps:

a) generating a first random number (γ) in a first system (101);

b) generating first key distribution information (X_A) in said first system (101) by applying a predetermined first transformation to said first random number (γ) on the basis of first secret information (S_A) known only by said first system (101), said first secret information (S_A) being generated on the basis of identification information (ID_A) of said first converser which is not secret;

c) transmitting said first key distribution information (X_A) to a second system (102) via a communication channel (103);

d) receiving said first key distribution information (X_A) in said second system (102);

e) generating a second random number (t) in said second system (102);

f) generating second key distribution information (X_B) by applying said predetermined first transformation to said second random number (t) on the basis of second secret information (S_B) known only by said second system (102), said second secret information (S_B) being generated on the basis of identification information (ID_B) of said second converser which is not secret;

g) transmitting said second key distribution information (X_B) to said first system (101) via said channel (103); and

h) receiving said second key distribution information (X_B) in said first system (101); wherein
   said first system (101) generates an enciphering key (wk) by applying a predetermined second transformation to said second key distribution information (X_B) on the basis of said first random number (γ) and said identification information (ID_B) of said second converser; and
   said second system (102) generates the same enciphering key (wk) by applying said predetermined second transformation to said second random number (t) and said identification information (ID_A) of said first converser.

2. A key distribution method comprising the following steps:

a) generating a first random number (γ) in a first system (201);

b) generating first key distribution information (X_A) in said first system (201) by applying a predetermined first transformation to said first random number (γ) on the basis of public information and generating first identification information (Y_A) by applying a predetermined second transformation to said first random number (γ) on the basis of first secret information (S_A) known only by said first system, said first secret information (S_A) being generated on the basis of identification information (ID_A) of said first converser which is not secret;

c) transmitting said first key distribution information (X_A) and said first identification information (Y_A) to a second system (202) via a communication channel (203);

d) receiving said first key distribution information (X_A) and said first identification information (Y_A) in said second system (202);

e) examining whether or not the result obtained by applying a predetermined third transformation to said first key distribution information (X_A) on the basis of said first identification information (Y_A) satisfies a predetermined first condition and, if it does not satisfy, suspending key distribution processing;

f) generating a second random number (t) if said first condition is satisfied at said step e);

g) generating second key distribution information (X_B) by applying said predetermined first transformation to said second random number (t) on the basis of said public information, and generating second identification information (Y_B) by applying said predetermined second transformation to said second random number (t) on the basis of second secret information (S_B) known only by said second system (202), said second secret information (S_B) being generated on the basis of identification information (ID_B) of said second converser which is not secret;

h) transmitting said second key distribution information (X_B) and said second identification information (Y_B) to said first system (201) via said communication channel (203); and

i) examining in said first system (201) whether or not the result obtained by applying a predetermined third transformation to said second key distribution information (X_B) on the basis of said second identification information (Y_B) satisfies a predetermined second condition and, if the result does not satisfy said second condition, suspending said key distribution processing or, if it satisfies said second condition, said first system (201) generates an enciphering key (wk) by applying a predetermined fourth transformation to said second key distribution information (X_B) on the basis of said first random number (γ) and said identification information (ID_B) of said second converser; and
   said second system (202) generates the same enciphering key (wk) by applying said predetermined fourth transformation to said first key distribution information (X_A) on the basis of aid second randon number (t) and said identification information (ID_A) of said first converser.

Ansprüche

1. Schlüsselverteilungsverfahren mit den folgenden Schritten:

a) Erzeugen einer ersten Zufallszahl (γ) in einem ersten System (101),

b) Erzeugen einer ersten Schlüsselverteilungsinformation (X_A) in dem ersten System (101) durch Anwenden einer ersten Transformation auf die erste Zufallszahl (γ) auf der Basis einer ersten Geheiminformation (S_A), die nur dem ersten System (101) bekannt ist, wobei die erste Geheiminformation (S_A) auf der Basis einer Identifikationsinformation (ID_A) des ersten Teilnehmers, die nicht geheim ist, erzeugt wird,

c) Senden der ersten Schlüsselverteilungsinformation (X_A) über einen Kommunikationskanal (103) an ein zweites System (102),

d) Empfangen der ersten Schlüsselverteilungsinformation (X_A) in dem zweiten System (102),

e) Erzeugen einer zweiten Zufallszahl (t) in dem zweiten System (102),

f) Erzeugen einer zweiten Schlüsselverteilungsinformation (X_B) durch Anwenden der bestimmten ersten Transformation auf die zweite Zufallszahl (t) auf der Basis einer zweiten Geheiminformation (S_B), die nur dem zweiten System (102) bekannt ist, wobei die zweite Geheiminformation (S_B) auf der Basis einer Identifikationsinformation (ID_B) des zweiten Teilnehmers, die nicht geheim ist, erzeugt wird,

g) Senden der zweiten Schlüsselverteilungsinformation (X_B) über den Kanal (103) an das erste System (101), und

h) Empfangen der zweiten Schlüsselverteilungsinformation (X_B) in dem ersten System (101),
wobei das erste System (101) einen Chiffrierschlüssel (wk) erzeugt, durch Anwenden einer bestimmten zweiten Transformation auf die zweite Schlüsselverteilungsinformation (X_B) auf der Basis der ersten Zufallszahl (γ) und der Identifikationsinformation (ID_B) des zweiten Teilnehmers, und
das zweite System (102) den gleichen Chiffrierschlüssel (wk) erzeugt, durch Anwenden der bestimmten zweiten Transformation auf die erste Schlüsselverteilungsinformation (X_A) auf der Basis der zweiten Zufallszahl (t) und der Identifikationsinformation (ID_A) des ersten Teilnehmers.

2. Schlüsselverteilverfahren mit den folgenden Schritten:

a) Erzeugen einer ersten Zufallszahl (γ) in einem ersten System (201),

b) Erzeugen einer ersten Schlüsselverteilungsinformation (X_A) in dem ersten System (201) durch Anwenden einer bestimmten ersten Transformation auf die erste Zufallszahl (γ) auf der Basis von öffentlichen Informationen und Erzeugen einer ersten Identifikationsinformation (Y_A) durch Anwenden einer bestimmten zweiten Transformation auf die erste Zufallszahl (γ) auf der Basis einer ersten Geheiminformation (S_A), die nur dem ersten System bekannt ist, wobei die erste Geheiminformation (S_A) auf der Basis einer Identifikationsinformation (ID_A) des ersten Teilnehmers, die nicht geheim ist, erzeugt wird,

c) Senden der ersten Schlüsselverteilungsinformation (X_A) und der ersten Identifikationsinformation (Y_A) über einen Kommunikationskanal (203) an ein zweites System (202),

d) Empfangen der ersten Schlüsselverteilungsinformation (X_A) und der ersten Identifikationsinformation (Y_A) in dem zweiten System (202),

e) Prüfen, ob das Ergebnis, das durch Anwenden einer bestimmten dritten Transformation auf die erste Schlüsselverteilungsinformation (X_A) auf der Basis der ersten Identifikationsinformation (Y_A) erhalten wird, eine bestimmte erste Bedingung erfüllt oder nicht, und, wenn es diese nicht erfüllt, Einstellen der Schlüsselverteilungsbearbeitung,

f) Erzeugen einer zweiten Zufallszahl (t), wenn die erste Bedingung in dem Schritt (e) erfüllt ist,

g) Erzeugen einer zweiten Schlüsselverteilungsinformation (X_B) durch Anwenden der bestimmten ersten Transformation auf die zweite Zufallszahl (t) auf der Basis der öffentlichen Informationen, und Erzeugen einer zweiten Identifikationsinformation (Y_B) durch Anwenden der bestimmten zweiten Transformation auf die zweite Zufallszahl (t) auf der Basis einer zweiten Geheiminformation (S_B), die nur dem zweiten System (202) bekannt ist, wobei die zweite Geheiminformation (S_B) auf der Basis einer Identifikationsinformation (ID_B) des zweiten Teilnehmers, die nicht geheim ist, erzeugt wird,

h) Senden der zweiten Schlüsselverteilungsinformation (X_B) und der zweiten Identifikationsinformation (Y_B) über den Kommunikationskanal (203) an das erste System (201), und

i) prüfen in dem ersten System (201) ob das Ergebnis, das durch Anwenden einer bestimmten dritten Transformation auf die zweite Schlüsselverteilungsinformation (X_B) auf der Basis der zweiten Identifikationsinformation (Y_B) eine bestimmte zweite Bedingung erfüllt oder nicht, und, wenn das Ergebnis diese zweite Bedingung nicht erfüllt, Einstellen der Schlüsselverteilungsbearbeitung oder wenn es die zweite Bedingung erfüllt, erzeugt das erste System (201) einen Chiffrierschlüssel (wk) durch Anwenden einer bestimmten vierten Transformation auf die zweite Schlüsselverteilungsinformation (X_B) auf der Basis der ersten Zufallszahl (γ) und der Identifikationsinformation (ID_B) des zweiten Teilnehmers, und
das zweite System (202) erzeugt den gleichen Chiffrierschlüssel (wk) durch Anwenden der bestimmten vierten Transformation auf die erste Schlüsselverteilungsinformation (X_A) auf der Basis der zweiten Zufallszahl (t) und der Identifikationsinformation (ID_A) des ersten Teilnehmers.

Revendications

1. Procédé de distribution de clé comprenant les étapes ci-après :

a) générer un premier nombre aléatoire (γ) dans un premier système (101);

b) générer une première information de distribution de clé (X_A) dans ledit premier système (101) en appliquant une première transformation prédéterminée audit nombre premier nombre aléatoire (γ) sur la base d'une première information secrète (S_A) connue uniquement par ledit premier système (101), ladite première information secrète (S_A) étant générée sur base de l'information d'identification (ID_A) provenant dudit premier interlocuteur, qui n'est pas secrète;

c) transmettre ladite première information de distribution de clé (X_A) à un second système (102), via un canal de communication (103);

d) recevoir ladite première information de distribution de clé (X_A) dans ledit second système (102);

e) générer un second nombre aléatoire (t) dans ledit second système (102);

f) générer une seconde information de distribution de clé (X_B) en appliquant ladite première transformation prédéterminée audit second nombre aléatoire (t) sur base d'une seconde information secrète (S_B) connue uniquement par ledit second système (102), ladite seconde information secrète (S_B) étant générée sur base de l'information d'identification (ID_B) provenant dudit second interlocuteur, qui n'est pas secrète;

g) transmettre ladite seconde information de distribution de clé (X_B) audit premier système (101), via ledit canal (103); et

h) recevoir ladite seconde information de distribution de clé (X_B) dans ledit premier système (101); dans lequel
   ledit premier système (101) génère une clé de chiffrage (wk) en appliquant une seconde transformation prédéterminée à ladite seconde information de distribution de clé (X_B), sur base dudit premier nombre aléatoire (γ) et de ladite information d'identification (ID_B) provenant dudit second interlocuteur; et
   ledit second système (102) génère la même clé de chiffrage (wk) en appliquant la dite seconde transformation prédéterminée à ladite première information de distribution de clé (X_A), sur base dudit second nombre aléatoire (t) et de ladite information d'identification (ID_A) provenant dudit premier interlocuteur.

2. Procédé de distribution de clé comprenant les étapes ci-après :

a) générer un premier nombre aléatoire (γ) dans un premier système (201);

b) générer une première information de distribution de clé (X_A) dans ledit premier système (201) en appliquant une première transformation prédéterminée audit premier nombre aléatoire (γ) sur base d'une information publique et générer ladite première information d'identification (Y_A) en appliquant une seconde transformation prédéterminée audit premier nombre aléatoire (γ) sur base de la première information secrète (S_A) connue uniquement par ledit premier système, ladite première information secrète (S_A) étant générée sur base de l'information d'identification (ID_A) provenant dudit premier interlocuteur, qui n'est pas secrète;

c) transmettre ladite première information de distribution de clé (X_A) et ladite première information d'identification (Y_A) à un second système (202), via un canal de communication (203);

d) recevoir ladite première information de distribution de clé (X_A) et ladite première information d'identification (Y_A) dans ledit second système (202);

e) vérifier le fait de savoir si le résultat obtenu en appliquant une troisième transformation prédéterminée à ladite première information de distribution de clé (X_A) sur base de ladite première information d'identification (Y_A), satisfait à une première condition prédéterminée et si elle n'y satisfait pas, suspendre le traitement de distribution de clé;

f) générer un second nombre aléatoire (t) si ladite première condition a été satisfaite à ladite étape e;

g) générer la seconde information de distribution de clé (X_B) en appliquant ladite première transformation prédéterminée audit second nombre aléatoire (t) sur base de ladite information publique et générer une seconde information d'identification (Y_B) en appliquant ladite seconde transformation prédéterminée audit second nombre aléatoire (t), sur base de la seconde information secrète (S_B) connue uniquement par ledit second système (202), ladite seconde information secrète (S_B) étant générée sur base de l'information d'identification (ID_B) provenant dudit second interlocuteur, qui n'est pas secrète;

h) transmettre ladite seconde information de distribution de clé (X_B) et ladite seconde information d'identification (Y_B) audit premier système (201), via ledit canal de communication (203); et

i) vérifier dans ledit premier système (201) si le nombre obtenu en appliquant une troisième transformation prédéterminée à ladite seconde information de distribution de clé (X_B), sur base de ladite seconde information d'identification de clé (X_B) répond oui ou non à une seconde condition prédéterminée et, si le résultat ne répond pas à ladite seconde conditionm suspendre le traitement de la distribution de la clé ou, si le résultat répond à ladite seconde condition,
   ledit premier système (201) génère une clé de chiffrage (wk) en appliquant une quatrième transformation prédéterminée à ladite seconde information de distribution de clé (X_B), sur base dudit premier nombre aléatoire (γ ) et de ladite information d'identification (ID_B) provenant dudit second interlocuteur; et
   ledit second système (202) génère la même clé de chiffrage (wk) en appliquant ladite quatrième transformation prédéterminée à ladite première information de distribution de clé (X_A), sur base dudit second nombre aléatoire (t) et de ladite information d'identification (ID_A) provenant dudit premier interlocuteur.

Drawing